| Age | Commit message (Collapse) | Author |
|---|
|
When verifying signatures we need to be able to verify the original
data we got for an RR set, and that means we cannot simply drop flags
bits or consider RRs invalid too eagerly. Hence, instead of parsing the
DNSKEY flags store them as-is. Similar, accept the protocol field as it
is, and don't consider it a parsing error if it is not 3.
Of course, this means that the DNSKEY handling code later on needs to
check explicit for protocol != 3.
|
|
|
|
canonical names
We'll need this later when putting together RR serializations to
checksum.
|
|
Change the iterator counter so that a different varable is used for each
invocation of the macro, so that it may be nested.
|
|
It essentially does the same as dns_packet_append_raw_string(), hence
make it a wrapper around it.
|
|
|
|
Dns label fixes + unrelated selinux clean-up
|
|
Test fixes to run in ppc64 mock
|
|
|
|
|
|
|
|
We need to check the same thing in multiple tests. Use a shared
macro to make it easier to update the list of errnos.
Change the errno code for "unitialized cgroup fs" for ENOMEDIUM.
Exec format error looks like something more serious.
This fixes test-execute invocation in mock.
|
|
|
|
basic: re-sort includes
|
|
My previous patch to only include what we use accidentially placed
the added inlcudes in non-sorted order.
|
|
When constructing the journal filename to store logs from a remote host, remove the port of the tcp connection, as the port will change with every reboot/connection loss between sender/reveiver machines. Having the port in the filename will cause a new journal file to be created for every reboot or connection loss.
For the implementation, a new argument "bool include_port" is added to the getpeername_pretty() function. This is passed to the sockaddr_pretty() function. The value of the include_port argument is set to true in all calls of getpeername_pretty(), except for 2 calls in journal-remote.c, where it is set to false.
|
|
When masking is used to prevent a unit from being loaded,
every transaction with dependent units would generate a warning.
Downgrade this warning to debug level.
transaction_add_job_and_dependencies only generated a few return
values found in the table in bus_common_errors.c, and EADDRNOTAVAIL
is not one of them, so do not try to suppress EADDRNOTAVAIL.
https://bugzilla.redhat.com/show_bug.cgi?id=1278264
|
|
test-acl-util: fix two issues from review
|
|
basic: include only what we use
|
|
|
|
This is a follow-up for https://github.com/systemd/systemd/pull/1994
See https://github.com/systemd/systemd/pull/1994#issuecomment-160087219
|
|
This is a cleaned up result of running iwyu but without forward
declarations on src/basic.
|
|
https://github.com/systemd/systemd/pull/2063
|
|
Let's merge access_init() and mac_selinux_access_init(), and only call
mac_selinux_use() once, inside the merged function, instead of multiple
times, including in the caller.
See comments on:
https://github.com/systemd/systemd/pull/2053
|
|
Some calls used ENOBUFS to indicate too-short result buffers, others
used ENOSPC. Let's unify this on ENOBUFS.
|
|
Let's better be safe than sorry.
|
|
domain
The root domain consists of zero labels, and we should be able to encode
that.
|
|
Make sure dns_name_normalize(), dns_name_concat(), dns_name_is_valid()
do not accept/generate invalidly long hostnames, i.e. longer than 253
characters.
|
|
Labels of zero length are not OK, refuse them early on. The concept of a
"zero-length label" doesn't exist, a zero-length full domain name
however does (representing the root domain). See RFC 2181, Section 11.
|
|
cgls: add a better error message for missing cgroupfs [v2]
|
|
Two unrelated fixes
|
|
|
|
journal: clean up permission setting and acl adjustements on user journals
|
|
https://github.com/systemd/systemd/issues/1397
|
|
This way, directories created later for containers or for
journald-remote, will be readable by adm & wheel groups by default,
similarly to /var/log/journal/%m itself.
https://github.com/systemd/systemd/issues/1971
|
|
tree-wide: remove unused variables
|
|
|
|
When we have non-owner user or group entries, we need the mask
for the acl to be valid. But acl_calc_mask() calculates the mask
to include all permissions, even those that were masked before.
Apparently this happens when we inherit *:r-x permissions from
a parent directory — the kernel sets *:r-x, mask:r--, effectively
masking the executable bit. acl_calc_mask() would set the mask:r-x,
effectively enabling the bit. To avoid this, be more conservative when
to add the mask entry: first iterate over all entries, and do nothing
if a mask.
This returns the code closer to J.A.Steffens' original version
in v204-90-g23ad4dd884.
Should fix https://github.com/systemd/systemd/issues/1977.
|
|
For now, only add_acls_for_user is tested. When run under root, it
actually sets the acls. When run under non-root, it sets the acls for
the user, which does nothing, but at least calls the functions.
|
|
|
|
Most of the function is moved to acl-util.c to make it possible to
add tests in subsequent commit.
Setting of the mode in server_fix_perms is removed:
- we either just created the file ourselves, and the permission be better right,
- or the file was already there, and we should not modify the permissions.
server_fix_perms is renamed to server_fix_acls to better reflect new
meaning, and made static because it is only used in one file.
|
|
This reduces libraries reported by ldd by liblzma,
liblz4, libgcrypt, libgpg-error, libacl, libidn, libseccomp.
|
|
This reduces libraries reported by ldd by liblzma,
liblz4, libgcrypt, libgpg-error, libacl, libidn, libseccomp.
|
|
This reduces libraries reported by ldd by liblzma,
liblz4, libgcrypt, libgpg-error, libacl, libidn, libseccomp.
|
|
This renames __useless_struct_to_allow_trailing_semicolon__ everywhere
to _sd_useless_struct_to_allow_trailing_semicolon_, to follow our usual
rule of prefixing stuff from public headers that should be considered
internal with "_sd_".
While we are at it, also to be safe: when the struct is used in the C++
protector macros make sure to use two different names depending on
whether it appears in the C++ or C side of things. After all, there
might be compilers that don't consider C++ and C structs the same.
See https://github.com/systemd/systemd/pull/2052#discussion_r46067059
|
|
Let's distuingish the cases where our code takes an active role in
selinux management, or just passively reports whatever selinux
properties are set.
mac_selinux_have() now checks whether selinux is around for the passive
stuff, and mac_selinux_use() for the active stuff. The latter checks the
former, plus also checks UID == 0, under the assumption that only when
we run priviliged selinux management really makes sense.
Fixes: #1941
|
|
Make gcc cleanup helper calls public in most of our sd-xyz APIs
|
|
resolved: add edns0 support
|
|
|
|
The header file defines some helpers for GLIBC NSS and doesn't include
anything else but glibc headers, hence there's little reason to keep it
in shared/.
See: #2008
|
